Thousands of servers may have been affected by attacks on Usenet this weekend and this morning that exploited a bug in InterNetNews software, enabling hackers to execute malicious commands even behind corporate firewalls.
The Computer Emergency Response Team posted fixes for the bug, which affects versions of INN up to 1.5, after being alerted to the problem by a Massachusetts Institute of Technology engineer.
Matt Power, a post-doctoral associate in computer science at MIT, in Cambridge, Mass., said the attack was the most significant Usenet security breach since the 1988 "Morris Internet worm" attack.
"It's rare to hear of a successful attempt to automate the penetration of probably thousands of servers throughout the Internet," Power said.
The attack began Saturday when someone posted four control messages in an attempt to gather password file and other configuration information from Usenet news sites by exploiting the INN bug, which was previously reported in a Feb. 20 CERT advisory, he said.
Fixes for the bug also were provided to CERT by an Internet Software Consortium programmer, James Brister, CERT officials said.
The bug enables control messages to be sent via UCB Mail without armoring tilde characters that begin lines, providing a window for malicious code to slip through firewalls.
The glitch also allows unauthorized access to news servers, Power added.
"You could become a valid user of a news server as a consequence of just sending a message," he said.
Smaller Internet service providers are particularly vulnerable, since they might locate all their data on a single computer, Power said.
This weekend's attack differs from previous instances of hacking on Usenet in that it appears to be indiscriminate--every Usenet news server using the INN software was affected.
CERT recommends that all sites using INN update to Version 1.5.1 and apply a patch that is posted at ftp://ftp.cert.org/pub/cert_advisories/CA-97.08.
So far, the hackers have not been identified, according to CERT.